Threat of the Week: The ATM XP Timebomb

The clock is ticking down to April 8th when Microsoft will cease to issue security updates for Microsoft XP.

The bad news for credit unions is that virtually all of their ATMs run on XP, multiple sources told Credit Union Times.

That raises the jackpot question: Will criminals feast on ATMs come April 8th?

“Those old ATMs are a timebomb,” said Paul Martini, CEO of iboss Network Security.

The good news: experts doubt the sky will fall in April. The XP ATM fleet indeed brings worries and issues to confront, but all that changes on April 8th is that Microsoft ceases to issue new updates.

Understand, too, that not all XP is created equal. Some will sunset in April, some won’t. More on that later.

For now, here is more good news: Even though conventional XP ceases to be supported in April, that does not necessarily mean fresh vulnerabilities will suddenly appear that criminals could exploit.

Elaborated Lois Hansen, vice president of product development at CO-OP Financial Services in Rancho Cucamonga, Calif.: “The immediate impact [on April 8] will not be noticeable mainly because there will be no significant change to the environment. The essence of the Microsoft announcement is that after April 8 and for the future, there will not be further application of Microsoft fixes or security patches to the XP operating system.”

That means credit unions can breathe easily in April, but not for long.Experts warn that most credit unions need to upgrade their vulnerable ATMs to insure long-term security.

A reason for the delay in ATM upgrades, suggested Gary Walston, executive vice president at Dolphin Debit, which owns and manages ATMs for many credit unions, is that many institutions are still chafing over the expenses they incurred just two years ago to make their ATMs ADA compliant.

Read more: Many ATMs require hardware upgrades, too ...

A further complication is that, in many instances, upgrading an ATM to a more recent and still supported operating system such as Windows 7 will mean investment not only in software but also in beefier hardware.

“Older ATMs may need several thousand dollars of hardware upgrades as well as a skilled staff to do an upgrade to Windows 7,” Martini said.

But Hansen said eventually, inaction may come with its own price.

“In the longer term and with the application of no more Microsoft security patches on the XP operating system, the credit unions who do not upgrade may be exposed to more fraud risk and they may not be able to add new features or functions to their existing ATMs,” she said.

How to avoid that fate?

At Dolphin Debit, about half of its ATMs run XP, Walston said, but he footnoted that many of those are running an XP version called XP Pro for Embedded Systems. That software, specifically created for use in devices such as ATMs, has an end of life of Dec. 31, 2016, according to Microsoft, which will continue to issue security patches until that date.

ATMs running Embedded Pro therefore are fine as is, suggested Walston, who indicated that this exclusion often is missed in discussions about what to do when XP sunsets.

Many other credit unions whose ATMs are on standard XP should investigate converting to Pro for Embedded Systems, Martini urged, saying credit unions could find a safe and inexpensive harbor there.

“Where costs are the concern, Embedded is the way to go,” he said.

Look further ahead, however, and most credit unions will need to map an upgrade route that gets their ATMs to Windows 7, Walston said.

“I believe they will need to be there to be EMV ready,” he said.

That deadline presently is set at October 2016.

The allure of Windows 7 may well convince some credit unions to hopscotch over Embedded mainly because Windows 7 provides a number of real plusses.

Robert Johnston, director of software marketing at NCR, said: “NCR actually believes that end of Windows XP support can have a positive impact on credit unions – specifically because it will help spur adoption of Windows 7 as an operating environment.

Security is the most obvious and talked about advantage to upgrading to Windows 7, but there are other factors that should influence a financial institution’s decision related to cost and user experience, he added.

“Windows 7 is faster and easier to support, helping reduce maintenance costs. More dramatically, Windows 7 enables a modern user experience that includes swipe gestures, multi-touch functionality and scroll capabilities that make using an ATM similar to using a mobile phone or tablet computer,” Johnston said.

But what every credit union needs to do now, stressed Walston, is to come to grips with the security state of the present ATMs running XP and map out a plan for getting to the next level, be that Embedded Pro or Windows 7.

“Credit unions need to understand their risks and they need a plan to lessen them,” Walston said. “And they need to be doing that now.”